COMPANY

Virginia Strengthens IT Security From Data Center to Desktop

officials took a look across the commonwealth," Green said. "We noticed that the infrastructure was certainly aging. There were some issues with older systems as a result of technology being out of date." Green said he suspects some of the security controls in place to safeguard those legacy systems also were antiquated.

Fortunately lawmakers and the executive branch understood the importance of security and passed legislation that became the foundation for the information security program. Among those were policies that empowered the state CIO to develop standards and procedures for security across Virginia. In 2007, the Virginia General Assembly passed legislation requiring the CIO to direct the development of these policies and procedures and gave the Information Technology Investment Board the power to withhold funds if necessary.

Thanks to these efforts, agencies had a mandate to perform risk assessments and use the policies and tools to make that happen -- activities that fall into the IT security program sphere.

Those who spoke to Government Technology about the security project said it wasn't terribly problematic getting the work done, although John Willinger, information security officer for the state Department of Behavioral Health and Developmental Services, hinted at reluctance some agencies had with the changes.

"It's just a matter of getting those agencies that have been used to doing business in a certain way to step up and say, 'OK, we do need a change,'" he said. "I think that's probably the biggest issue -- just agencies being reluctant to take the step."

The state government invested $270 million upfront to transform the robust infrastructure sphere. These changes were spurred by coordination among Virginia's leadership, VITA and other state agencies, with substantial help from Northrop Grumman, their private-sector partner.

"Northrop Grumman was integral in the infrastructure sphere," said Matt Slaight, manager of computer systems security for the company. Northrop Grumman helped with the technology consolidation, the new data center and backup facilities for support.

The primary data center, the 192,000-square-foot Commonwealth Enterprise Solutions Center, opened in July 2007 in Chester, Va., at Tier 3 capability with power from two separate substations and an alternate water supply. According to the TIA-942 standards established by the Telecommunications Industry Association, a Tier 3 data center can have maximum annual downtime of 1.6 hours and must have multiple power and cooling distribution paths. The facility houses more than 600 Northrop Grumman and VITA employees.

Soon after the data center opened, an additional remote recovery site was completed in Lebanon, Va. This facility is 101,000 square-feet, with a help desk and backup capabilities staffed in part by employees from nearby counties and cities.

"By the December [2007] time frame, we were completed with southwest Lebanon's facility, and in the March-April [2008] time frame, we executed the first full disaster recovery test for the commonwealth, utilizing both of those facilities. So it was a very fast turnaround," said Mike Elkins, Northrop Grumman's director of infrastructure services.

Virginia now has standard security tools and policies for more than 23,000 PCs, and a single, statewide network and secure Internet gateway. The state can centrally scan e-mails and endpoints for spam and viruses, a much easier task than it was in a fragmented IT environment.

"There are certainly some benefits that we've seen in our ability to measure and monitor things happening on the network -- our ability to collectively respond more quickly when something does go wrong -- and that can either be a typical security-type incident or an incident with respect to availability of some type. It gives us more visibility," Green said.

But Green's analysis could be understated. Willinger said the process was transformative. "When I say transformation, I mean from the desktop to servers to e-mail to everything. It's a huge undertaking just for our agency alone," Willinger said. "When you

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.